Debugging messages help attackers learn about the system and plan a form of attack.

What CVEs are caused by CWE-11?

2 recorded CVEs are attributed to CWE-11, including CVE-2024-48008, CVE-2021-35235.

How do you prevent CWE-11?

Avoid releasing debug binaries into the production environment. Change the debug mode to false when the application is deployed into production.

How is CWE-11 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-11?

Exploiting CWE-11 can lead to: Read Application Data.

Is CWE-11 actively exploited?

2 recorded CVEs are caused by CWE-11; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-11: ASP.NET Misconfiguration: Creating Debug Binary

Affects: Confidentiality

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The file web.config contains the debug mode setting. Setting debug to "true" will let the browser display debugging information.

Vulnerable example

xml

<?xml version="1.0" encoding="utf-8" ?>

Change the debug mode to false when the application is deployed into production.

CWE-11: ASP.NET Misconfiguration: Creating Debug Binary

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-11?

What CVEs are caused by CWE-11?

How do you prevent CWE-11?

How is CWE-11 detected?

What are the consequences of CWE-11?

Is CWE-11 actively exploited?

References

Stay ahead of CWE-11

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-11?

What CVEs are caused by CWE-11?

How do you prevent CWE-11?

How is CWE-11 detected?

What are the consequences of CWE-11?

Is CWE-11 actively exploited?

References

Stay ahead of CWE-11